-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NewsBites' short quiz on cybersecurity innovation: As we enter the era
of increased threats and less money for security, knowing the answers
can boost your career.
1. Secure configurations: Which US Army and Air Force initiative is
cutting the time and costs of deploying new systems, radically reducing
the vulnerability of those systems, shortening patch times by more than
80%, reducing operating costs, and making users happier?
2. Stopping targeted attacks from spreading: Which free Microsoft
security tool can be applied totally differently from its standard
application, and yet stop infections from spreading?
3. Highest payoff: Which security controls (from the Top 20) provide the
most defense and are the *only* ones that must be implemented on all
user-accessible systems?
4. Massive risk reduction at low cost: How did a small government agency
get the same kind of rapid and radical risk reduction that the State
Department got, but using just tools and people they already had in
place?
5. Cloud security secrets: What have the cloud vendors failed to do in
security (and failed to tell their customers) that causes the most
immediate risk for their users? And which federal clouds provide the
current benchmark for effective security?
Many of you know the answers. If you don't, you'll find them at the
National Cybersecurity Innovation Conference in October in Washington
DC focusing on really impressive innovations in mitigating targeted
attacks (the advanced persistent threat) and innovations in cloud and
mobile security. http://www.sans.org/ncic-2011/
Alan
**************************************************************************
SANS NewsBites August 26, 2011 Vol. 13, Num. 68
**************************************************************************
TOP OF THE NEWS
Maine Voter Registration System Breached
UK Government Agrees Not To Shut Down Social Networks During Riots
Twitter To Use HTTPS as Default
ComScore Sued Over Extensive Privacy Violations
THE REST OF THE WEEK'S NEWS
Security Breach Exposes 20,000 Log-ins
Ukrainian Authorities Arrest Suspected Credit Card Fraud Gang
U.S. Firms Targeted In Online Sabotage Attack
Email Sent To Bank Staff Reveal Contractors' Rates
Apache Warns of Denial-of-Service Attack Vulnerability
British Man Charged in Connection With Anonymous DDoS Attack
************************** Sponsored By zScaler ***************************
ONLINE WEBCAST with GARTNER: WHY ADVANCED THREAT PROTECTION IS BETTER
DONE IN THE CLOUD
Are you doing enough to manage your security risks in today's Web 2.0
World? Join Peter Firstbrook of GARTNER who will detail why cloud
security is better for advanced threat protection.
Sept 8 at 10am PST / 1pm EST
http://www.sans.org/info/85359
**************************************************************************
TRAINING UPDATE
- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011
6 courses. Bonus evening presentations include DNS Sinkhole: Peer
Into Your Network While You Sleep; and I See What You Did There:
Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/
- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011
45 courses. Bonus evening presentations include Securing the Kids;
Who is Watching the Watchers?; and Emerging Trends in the Law of
Information Security and Investigations
http://www.sans.org/network-security-2011/
- -- The National Security Architecture Workshop, DC, Sept. 29-30,2011
2-day workshop discussing techniques to ensure security is considered
in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/
- -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011
3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile
Security training
http://www.sans.org/ncic-2011/
- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011
6 courses. Bonus evening presentations include Computer Forensics in
the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/
- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011
5 courses. Bonus evening presentations include Future Trends in
Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/
- --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011
6 courses. Bonus evening presentations include The Worst Mistakes in
Cloud Computing Security; Offensive Countermeasures; and Watching the
Wire at Home
http://www.sans.org/san-francisco-2011/
- --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
****************************************************************************
TOP OF THE NEWS
--Maine Voter Registration System Breached
(August 25)
In a statement on Wednesday, the Maine Secretary of State, Charlie
Summers, said that as a result of an alert from the Department of
Homeland Security's US-CERT team, his office is investigating a
potential breach of Maine's Central Voter Registration system (CVR). The
result may have been the exposure of the personal information of up to
one million registered Maine voters. The breach appears to be the
result of a computer connected to the CVR system becoming infected with
data-stealing malware. In an interview Summers said: "I am in the
process of assessing what, if any, information has been compromised. I
have taken immediate action to shut this computer down and disable the
username and password assigned to the town clerk." He said further that
he strongly suspects that data were accessed, but "We just don't know
how much or the size" of the breach.
http://www.infosecurity-us.com/view/20335/
--UK Government Agrees Not To Shut Down Social Networks During Riots
(August 25)
In response to the riots earlier this month in England, a meeting was
held between the UK's Home Secretary, Theresa May, police, the
Association of Chief Police Officers and representatives from Facebook,
Twitter and RIM to discuss the use of social networking sites during the
riots. Following recent comments made by the UK Prime Minister, David
Cameron, the possibility that the UK government would seek to shut down
social networks in times of civil unrest generated considerable fear.
However, it appears the meeting focused more on how social networks can
work together more closely with law enforcement agencies. A spokesperson
for the Home Office said, "The discussions looked at how law enforcement
and the networks can build on the existing relationships and
co-operation to prevent the networks being used for criminal behavior.
The government did not seek any additional powers to close down social
media networks."
http://www.zdnet.co.uk/blogs/from-both-sides-10005031/government-climbs-down-on-social-network-blocking-10024206/http://www.bbc.co.uk/news/uk-14657456http://www.guardian.co.uk/media/2011/aug/25/government-plan-shut-twitter-facebook
--Twitter To Use HTTPS as Default
(August 25)
Twitter has started to roll out SSL-secured connections by default for
a number of users to allow them connect securely to the micro-blogging
service. Connecting to Twitter by SSL was introduced earlier this year
as an option for users, but it required users to manually enable the
option. In a post on its corporate blog Twitter said it will start to
enable SSL by default for some users. It did not say when, or if, it
would expand SSL by default to all users.
http://www.scmagazineuk.com/twitter-begins-moving-users-to-default-https-sessions/article/210242/http://www.v3.co.uk/v3-uk/news/2104357/twitter-secure-connections-defaulthttp://www.computerworld.com/s/article/9219453/Twitter_turns_on_SSL_encryption_for_some_usershttp://www.h-online.com/security/news/item/Twitter-starts-enabling-HTTPS-by-default-1329653.html
--ComScore Sued Over Extensive Privacy Violations
(August 24)
A class action lawsuit filed in a federal court in Chicago alleges that
the Internet tracking and analytics firm comScore has been using highly
aggressive tactics to surreptitiously collect large amounts of personal
data on individuals. The lawsuit cites the Stored Communications Act,
the Electronic Communications Privacy Act, the Computer Fraud and Abuse
Act and Illinois Consumer Fraud and Deceptive Practices Act. The
plaintiffs to the lawsuit claim comScore collects information such as
Social Security numbers, credit card numbers, passwords and other data
from individuals' computers. It also alleges that comScore's software,
when installed, will modify the computer's security settings, open
backdoors, redirect Internet traffic and scan documents and emails for
information. On one of their websites comScore states their software
"monitors all of the Internet behavior that occurs on the computer on
which you install the application, including both your normal web
browsing and the activity that you undertake during secure sessions,
such as filling a shopping basket, completing an application form or
checking your online accounts". The software from comScore is usually
installed when the user downloads free software products such as screen
savers or music sharing software. A spokesman for comScore called the
lawsuit meritless.
http://www.theregister.co.uk/2011/08/24/comscore_privacy_lawsuit/http://www.computerworld.com/s/article/9219444/Lawsuit_accuses_comScore_of_extensive_privacy_violationshttp://www.eweek.com/c/a/Security/comScore-Accused-of-Aggressive-Surreptitious-Online-Data-Collection-in-Lawsuit-759357/
[Editor's Note (Schultz): The amount of personally-identifiable
information that is typically collected in the course of users browsing
Web sites is appalling. Citizens of EU countries should in particular
be outraged, but instead there is a kind of collective ignorance that
keeps Internet users, whether from EU countries or elsewhere, from
waking up to reality.]
*************************** SPONSORED LINKS ******************************
1) NEW Analyst Paper in the SANS Reading Room, "Optimized Network
Monitoring for Real-World Threats," by Dave Shackleford
http://www.sans.org/info/85364
2) Do not miss SANS Ask the Expert Webcast: Leveraging SSL to Battle
Emerging Security Threats. Sign up at: http://www.sans.org/info/85369
3) Be entered in a drawing to WIN a $100 American Express gift card.
Please take five minutes to help us improve the type and quality of
Vendor Programs at SANS Conferences http://www.sans.org/info/85374
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Security Breach Exposes 20,000 Log-ins
(August 24)
A security breach at an events management company, Allianceforbiz.com,
has exposed sensitive personal data belong to 20,000 people, including
a large number of US government employees and contractors. The
information was released in a spreadsheet posted to the Internet; it
contained usernames, passwords, email addresses and whether the
individual worked for a US government agency. Allianceforbiz.com is a
trade show management company that manages conferences, meetings and
trade shows on behalf of its customers. The individual claiming
responsibility for the attack is said to be a supporter, but not a
member, of the infamous Anonymous organization already linked to a
myriad of break-ins to systems and applications worldwide.
http://www.eweekeurope.co.uk/news/hacker-exposes-us-government-staff-log-ins-37838
--Ukrainian Authorities Arrest Suspected Credit Card Fraud Gang
(August 22)
In a statement released on Monday, the Ukraine's security service, SBU,
said that earlier this month it arrested four people suspected of being
in a gang responsible for up to US$ 20 million in fraudulent credit card
transactions. The four accused are alleged to have broken into the
computer systems of Ukrainian and international financial institutions
and to have stolen the information necessary to create fake credit
cards. The SBU stated that as part of the arrests, it also seized
computer systems and equipment containing 100,000 financial records of
individuals.
http://www.pcworld.com/businesscenter/article/238579/ukraine_arrests_four_in_carding_scam.htmlhttp://www.theregister.co.uk/2011/08/22/ukrainian_credit_card_fraud_arrests/http://www.esecurityplanet.com/headlines/article.php/3938991/Four-Hackers--Arrested-in-Ukraine.htmhttp://news.softpedia.com/news/Ukrainian-Authorities-Dismantle-Credit-Card-Fraud-Gang-218129.shtml
--U.S. Firms Targeted In Online Sabotage Attack
(August 23)
The FBI is investigating what appears to be an online sabotage attack
which took place last year against a number of US online firms
specializing in selling batteries online. In total the attacks, which
happened in October 2010, have caused victims estimated financial losses
of more than US$ 600,000. Analysis of the audit logs on the victims'
servers indicate the attacks appear to have originated from botnets
controlled by IP addresses located within Russia. While the attacks may
have originated Russia, it is believed that they were sponsored by a US
based competitor of the victim companies looking to inflict financial
losses.
http://news.cnet.com/8301-1009_3-20096068-83/u.s-battery-firms-reportedly-targeted-in-online-attack/
--Email Sent To Bank Staff Reveal Contractors' Rates
(August 23)
An email inadvertently sent to 800 employees in the Royal Bank of
Scotland by a staff member of UK contracting firm, Hays, revealed the
names and contract rates of up to 3,000 contractors engaged by the bank.
Some of those contracted by the bank were shown to be charged at daily
rates of up to GBP 2,000 or US $3,270. Hays has launched an
investigation into the breach and apologized for the incident. In a
statement the contracting firm said it "recognizes that the correct
treatment of data is of the utmost importance and we are taking the
unauthorized release of this data extremely seriously". The RBS is
ostensibly currently reviewing its relationship with Hays.
http://www.theregister.co.uk/2011/08/24/hays_rbs_email_fail/http://www.computerweekly.com/Articles/2011/08/24/247707/rbs-pay-leak-reveals-the-contractors-paid-2000-a-day.htmhttp://www.dailyrecord.co.uk/news/scottish-news/2011/08/24/e-mail-sent-by-mistake-reveals-rbs-contractors-are-paid-2-000-a-day-86908-23368170/
--Apache Warns of Denial-of-Service Attack Vulnerability
(August 24)
A warning has been issued to owners of websites powered by the Apache
webserver software of a vulnerability which can be exploited using a
relatively low number of requests directed at the server to cause a
Denial of Service condition. A tool to exploit the vulnerability called
"Apache Killer" has been released onto the Internet. The vulnerability
was originally identified over four years ago and impacts servers
running all versions in the 1.3 and 2.0 releases. A patch for the
vulnerability should be released by the evening of August 26, but as
release 1.3 is no longer supported, the patch will only apply to
versions 2.0 and 2.2.
http://www.net-security.org/secworld.php?id=11513http://www.theregister.co.uk/2011/08/24/devastating_apache_vuln/http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_toolhttp://www.h-online.com/security/news/item/Tool-causes-Apache-web-server-to-freeze-Update-1330105.html
--British Man Charged in Connection With Anonymous DDoS Attack
(August 25)
A 22-year old student named as Peter David Gibson has been charged by
British police for his alleged role in Distributed Denial of Service
attacks carried out earlier this year under the banner of the Anonymous
collective. Gibson was one of six people arrested in April by members
of the Police Central e-Crime Unit (PCeU) for their allegedly taking
part in the DDoS attacks carried out last January against a number of
companies including MasterCard and PayPal. Gibson was charged with
conspiracy to "do an unauthorized act in relation to a computer, with
intent to impair the operation of any computer or prevent or hinder
access to any program or data held in a computer or to impair the
operation of any such program or the reliability of such data," contrary
to Section 1(1) of the Criminal Law Act 1977. He is due to appear
before Westminster magistrates court in London on September 7 to face
the charges.
http://www.guardian.co.uk/technology/2011/aug/25/british-student-charged-online-attackshttp://www.net-security.org/secworld.php?id=11515http://www.theregister.co.uk/2011/08/25/cops_charge_alleged_hacker/http://www.bbc.co.uk/news/technology-14666733
************************************************************************
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk5X4WgACgkQ+LUG5KFpTkbxrQCfb0B/VDyicYXMi/hceygO9Zj4
l9sAn1yvXHzmDp5uHKxyPL8V/8QJnJH4
=3qWS
-----END PGP SIGNATURE-----